Hide Forgot
We should be compiling all suid programs with RELRO and PIE support. Currently many (most?) are not compiled in this way. This bug is for passwd, but is relevant to all of the other suid programs as well. Another thing I would like to see is perhaps a policy in place that if you provide an suid program (or sgid, doesn't really matter to whom, but root is obviously most critical), that we reject packages with said programs _not_ compiled with RELRO/PIE support.
What has been done? This bug was closed without a conclusion? Please update what has been done, and why this was closed. Thanks.
There are other packages other than passwd that needs to be dealt with.
Then you shouldn't have opened just a single bug against passwd. Each package which still needs fixing in regards of this issue should get their own bug. Passwd is fixed as of passwd-0.78.99-1.fc17
See the packaging guidelines; specifically the bits about: %define _hardened_build 1
I see that, and thanks for pointing it out. However the packaging guidelines indicates that certain types of programs _should_ have it enabled, not _must_ have it enabled. I think it makes sense to make it policy that suid programs _must_ have it enabled; the hardened packages list is pretty small: http://fedoraproject.org/wiki/Hardened_Packages While those packages are important, I don't see others like policykit or passwd, etc. on the list. Tomas: I didn't want to start bug spamming on this without knowing whether or not this was something that people agreed with, so I picked an obvious one first. If the consensus or general agreement is that suid applications should be compiled with PIE, I would be more than happy to file bugs for everything that ships an suid application in Fedora.
I think there is no dispute that for suid and most probably also setcaps binaries should be compiled with PIE and full RELRO. These binaries are small and thus the relocations and non-prelinkability should not matter performance-wise at all. The hardened_build 1 however makes the whole package be built with these build flags which might be perhaps undesirable for some bigger packages which contain just one small suid binary. In this case the suid binary should have applied the flags alone.
A change from should -> must should be taken up with FPC: https://fedoraproject.org/wiki/Packaging/Committee
https://fedorahosted.org/fpc/ticket/144 If you want to use this bug as a tracker for getting this universally fixed in existing packages, go for it..
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.
The guidelines were updated quite a while ago: https://fedoraproject.org/wiki/Packaging:Guidelines#PIE